So in
https://www.apple.com/newsroom/2022/07/apple-expands-commitment-to-protect-users-from-mercenary-spyware/
Apple Says: "Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on."
It seems like we would want to keep the end user from enabling this on MDM devices. Has anyone seen any documentation on how to disable Lockdown Mode? I can't see any in any MDM reference publicly available.
@ega If the device is already enrolled in an MDM enabling Lockdown Mode does not disable MDM, so you probably don't need to worry about disabling it.
@ega If the device is already enrolled in an MDM enabling Lockdown Mode does not disable MDM, so you probably don't need to worry about disabling it.
Yes that's true.
Once MDM has a device lockdown mode does not "break" MDM, you can still deploy new, update and remove old configuration profiles. On the flip side lockdown mode does jackup all kinds of other things like VPN clients. I do see tickets generated by people who enable this and it breaks stuff, but MDM will be fine. Our VPN will not even connect with lockdown mode enabled.
I am also trying to find documentation about how to block lockdown mode. We would rather users not turn it on. I don't see any info in 10.42 documentation or anyway in a config profile block it.
I am also trying to find documentation about how to block lockdown mode. We would rather users not turn it on. I don't see any info in 10.42 documentation or anyway in a config profile block it.
Its not possible to block lockdown mode. For JAMF to block it, Apple would need to make the MDM work flow which they have said they will not be doing. Feedback request time.
About Lockdown Mode - Apple Support
Configuration profiles and managed devices
If a device is in Lockdown Mode, new configuration profiles can't be installed, and the device can't be enrolled in Mobile Device Management or device supervision. If a user wants to install a configuration profile or management profile, they need to turn off Lockdown Mode, install the profile, and then re-enable Lockdown Mode, if necessary. These restrictions prevent attackers from attempting to install malicious profiles.
A device that is enrolled in Mobile Device Management before Lockdown Mode is enabled remains managed. System administrators can install and remove configuration profiles on that device.
Lockdown Mode is not a configurable option for Mobile Device Management by system administrators, as it’s designed for the very small number of individual users who might be targeted by extreme cyber attacks.
A Mac Admin, who prefers to remain anonymous, mentioned that the output of the following command may prove interesting:
% defaults read ~/Library/Preferences/.GlobalPreferences.plist LDMGlobalEnabled
Students are using lockdown mode to remove themselves from managed Apple classrooms. To the teacher, it looks like wifi and bluetooth is on but the device will not connect via Apple Classroom. The only way to fix it is to re-push the Edu profile. Did anyone find a way to block students from triggering lockdown mode please?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.